What should we do with the UK GDPR?
Iain Bourne, Co-Founder of the Data Protection Reform Group suggests a cost-benefit analysis of the GDPR in the UK, and to exempt low-risk organisations from the most onerous data protection obligations.
The Brexit deal has not clarified the uncertainty over the UK’s future adequacy status, it has extended it. The situation appears to be that the UK may well have lost its adequacy status but EU/EEA to UK data flows can carry on as they did previously. It is good that data flows can continue. However, this transitional arrangement is only for a period of up to four months – extendable to six months – provided that the UK maintains its current data protection arrangements and seeks the consent of the EU-side if there are any significant changes to those arrangements.
The four- to six-month period is to allow the European Commission to complete its assessment of UK adequacy. No-one knows how the assessment will go – much may depend on the political will of the European Commission and the European Data Protection Board (EDPB) in the context of the adequacy criteria set out in the GDPR itself. Thus, the uncertainty continues. However, this is not all bad. The transitional period should give the UK government the opportunity to consider some basic questions concerning the future of UK data protection law.
UK Report subscribers please login to access the full article.
If you wish to subscribe please see our subscription information.